1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-16 15:57:04 +00:00
Commit Graph

3 Commits

Author SHA1 Message Date
Yuta Hayama af312b14fa linux/generate-cve-exclusions: fix mishandling of boundary values
affected_versions in kernel_cves.json does not mean "first affected version
to last affected version" but actually "first affected version to fixed
version". Therefore, the variable names, conditional expressions, and
CVE_STATUS descriptions should be fixed.

For example, when the script was run against v6.1, if affected_versions was
"xxx to 6.1", the output was "cpe-stable-backport: Backported in 6.1", but
this should be "fixed-version: Fixed from version 6.1".

(From OE-Core rev: a0cafa6587acf2b41f0e832d06de884ffe62fd4b)

Signed-off-by: Yuta Hayama <hayama@lineo.co.jp>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 2064b2f9b92e2dff45dab633598b5ed37145d0b6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2023-10-13 04:31:04 -10:00
Yuta Hayama 67baa777fe linux/generate-cve-exclusions: print the generated time in UTC
Allow time comparisons to be made regardless of where the script was run.

(From OE-Core rev: aa90e5ea1fe77c97e5915e5e9a69bbd0b9461d09)

Signed-off-by: Yuta Hayama <hayama@lineo.co.jp>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 018e74f2ce0b1a4c0614c99bc19f07f787d61123)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2023-10-11 03:54:46 -10:00
Ross Burton 4a930182bf linux-yocto: add script to generate kernel CVE_CHECK_IGNORE entries
Instead of manually looking up new CVEs and determining what point
releases the fixes are incorporated into, add a script to generate the
CVE_CHECK_IGNORE data automatically.

First, note that this is very much an interim solution until the
cve-check class fetches data from www.linuxkernelcves.com directly.

The script should be passed the path to a local clone of the
linuxkernelcves repository[1] and the kernel version number. It will
then write to standard output the CVE_STATUS entries for every known
kernel CVE.

The script should be periodically reran as CVEs are backported and
kernels upgraded frequently.

[1] https://github.com/nluedtke/linux_kernel_cves

Note: for the backport this is not a cherry-pick of the commit in master
as the variable names are different. This incorporates the following
commits:

linux/generate-cve-exclusions: add version check warning
linux/generate-cve-exclusions.py: fix comparison
linux-yocto: add script to generate kernel CVE_STATUS entries

(From OE-Core rev: f9bfaee1c05a61457ada7850d707a847f327e605)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2023-08-30 04:52:35 -10:00